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RISK CONTROL SYSTEM 



FIEUD OF THE INVENTION 

The preseni: inven'txon rela'bes t:o a me'khod. and sys'tem for 
5 controlling risk, or particular but by no means exclusive 
application is q[uantitative risk assessment and 
mitigation . 



BACKGROUND OF THE INVENTION 

10 There are essentially two approaches to risk analysis: 

qualitative and c^^antitative . Qualitative risk analysis 
is a technique that can be used to determine the level o£ 
protection required for applications, systems, facilities, 
or other enterprise assets . During the systematic review 

15 of assets, threats, and vulnerabilities, the team will be 
able to establish the probabilities of threats occurring, 
the cost of losses if they do occur, and the value of the 
safeguards or countermeasures designed to reduce the 
threats and vulnerabilities to an acceptable level . The 

2 0 qualitative methodology attempts only to prioritize the 
various risk elements in subjective terms. 



Quantitative risk analysis attempts to assign 
independently objective numeric values to the components 
25 of the risk analysis and to the' I'evel of potential losses. 
When all elements (asset value, threat frequency, 
safeguard effectiveness, safeguard costs, uncertainty and 
probability) are quantified, the process is considered to 
be quantitative. 

30 

The respective advantages and disadvantages of these two 
approaches may be summarized as follows : 



Qualitative Risk Analysis Approach 


ADVANTAGES 


DISADVANTAGES 


calculations are simple 


subjective in nature 


monetary value of assets not 


depends solely on quality of 
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required 


risk management teeua 


unnecessary 'to q[uant:±£y 
t:hrea^ frequency 


limited effort devoted to 
assigning monetary value to 
targeted assets 


non-security and non- 
technical staff readily 
involved 


provides no basis for the 
cost-benefit analysis of 
risk mitigation 


flexibility in processing 
and reporting 






Quantitative Risk Analysis Approach 


ADVANTAGES 


DISADVANTAGES 


results are sxibstantially 
based on independently 
objective processes and 
metrics 


calculations can be complex 


great effort put into asset 
value determination and risk 
mi tiga t ion 


works well with a recognized 
automated tool and 
associated knowledge base 


obliges the conducting of a 
CO St /benefit assessment 


requires large amounts of 
preliminary work 


results can be expressed in 
management- specif ic language 


generally not presented on a 
personal level 




participants cannot be 
easily coached through the 
process 



Most existing risk assessment models are qualitative; 
5 risks are measured based on perceived threat and not 
quantified through mathematical means. However, as 
perception of threat differs from assessor to assessor, 
risk assessment derived by qualitative meetns tends to be 
inconsistent, hence making the results unreliable and 
10 unusable. 
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The charac^erxs-tlcs of various exls'tlng techniques are as 
follows . 

1. 10-Step Qualitative Risk Analysis (QRA) 
5 The ten steps of this approach are: 



i. A Scope Statement is developed; 

ii . A cross functional Competent Team is assembled to 
assess the risks; 

iii . AJ.1 threats (characterized in terms of agent, 
10 motive and results) are identified; 

iv. Threats are prioritized (by a strong team) ; 
V. Impact Priority is assessed; 

vi. Total Threat Impact is calculated; 

vii. Safeguards are identified; 

15 viii. A Cost-Benefit Analysis is made of the controls 
against cost and effectiveness; 

ix. Safeguards are ranked in order of priority; and 

X. A Risk Analysis Report is prepared, including: 



20 Thus, for example, a notional Risk Analysis Report might 
include the following : 



THREAT 


THREAT 
PRIORITY 
(TP) 


LOSS 
IMPACT 
(LI) 


RISK 
FACTOR 
(TP + LI) 


POSSIBLE 
SAFEGUARDS 


SAFEGUARD 
COST 


Fire 


3 


5 


8 


Fire suppression 
system 


$15,000 


Tornado 


2 


5 


8 


Business 
continuity plan 


$75,000 


Water 
damage 


2 


3 


7 


Business 
continuity plan 


$75,000 


Theft 


3 


5 


5 







This technique forms the basis of all existing risk 
25 assessment: a risk analysis team is formed, threats and 

their effects are discussed during the risk assessment and 
countermeasures are used to mitigate risks . 
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2. S-Sbep Quali'ba'kxve Risk Analysis (QRA) 
The t:hree st:eps of t:h±s approach are: 
±. Asset: Valua-blon; 

±i . R±sk Evalua-txon; and 

5 ±11 . Risk Managemen't 

A not:xonal result: of -bhe approach mlgh-t Include: 



FXNANCIAI. I.OSS 


VALUATION SCORE 


< $2,000 


1 


$2,000 to $15,000 


2 


$15,000 t:p $40,000 


3 


$40,000 t.o $100,000 


4 


$100,000 to $300,000 


5 


$300,000 to $1,000,000 


6 


$1,000,000 to $3,000,000 


7 


$3,000,000 to $10,000,000 


8 


> $10,000,000 


9 



10 Thxs Is a slight: modl£lcat:lon of t:he first: above ment:loned 
approach. In which a scoring sys'tem Is used whenever 
possible. A re-assessmeni: lnt:erval of 1.5 t.o 2 years Is 
recommended . 

15 3, Information Security Risk Analysis (ISRA) 
The three steps of this approach are : 

I. A Risk Analysis Matrix is created (according to 
Integrity, Sensitivity and Availability) ; 

II. Risk Based Control is selected; and 
20 111. Preparation of documentation. 

A notional Risk Analysis Matrix might be: 



Integrity 

Accidental 



DATA 

Sensitivity Availability 

Undesirable 
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Acts 

Deliberate 
Acts 



event (error 
& omission) 
Unauthorized 
event (fraud 
& misuse) 



Modification Disclosure Unavailability 
or destruction of of information 

of information information or services 



This approach is difficult to use, and requires users to 
have a certain exper-tise. In addition, the analysis Is 
not asset or system based. 

5 

4 . Vulnerability Analysis 
The approach has five steps: 

1. Internal e:>^erts or a risk analysis team are 

assembled; 

10 11. A scope statement Is developed; 

ill. Definitions are agreed upon; 

Iv. The team's understanding of the process Is 

verified; and 

V. The risk Is calculated. 

15 

Thus, a possible assessment of risk associated with each 
human factor might be : 



Occupation 


Unauthorized 
Access 


Unauthorized 
Modification 


Unauthorized 
Disclosure 


Destruction 


VP of HR 










Senior 
managers 










Senior 
specialist 











20 This methodology analyzes the vulnerabilities of a 

departmen-t with respect to the people (treated as assets) 
who work In the assessment zone. However, the deflnl'tlons 
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must: be agreed upon before "the assessment: can begin. 
5 . Hazard Impact Analysis 

This approach is similar t:o approach 4, but: based on asset: 
5 categories rat:her t:han assets. It might produce, for 
example, the following output: 



Threat 
Type 


Probab- 
ility 


Human 
Intact 


Property 
Impact 


Business 
Impact 


Internal 
Resources 


External 
Resources 


Tornado 


1 


4 


4 


4 


2 


2 
















1 


2 


3A 


SB 


3C 


4A 


4B 



This approach iden'tifies t:he threats and measures the 
10 impact: on human, property and business. The existing 

lnt:ernal and external con'trols are identified to mitigate 
the respect:ive 'threat:s . 

6 . Threat Analysis 
15 According to this approach, one: 

I . Internal experts or a risk analysis team are 
assembled; 

II. A scope statement is developed; 
ill. Definitions are agreed upon; 

20 iv. The team's under st:andlng of t:he process is 

verified; and 

V. The risk analysis is conducted based on the 

impact on operations if a t:hreat occurs . 

25 For example, the following conclusions might: be obtelned: 



Potential 
Causes 


Effects on Operations 


Temporary 
Interrupt- 
ion 


Temporary 
Inaccess- 
ibility 


Hardware 
Damage 


Loss of 
Software 


Repairable 
Damage 


LAN server 
outage 


P 


M 
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This approach assesses -the opera-tlonal risk In a specified 
environment: . 

5 7 . Ques'tlonnalre 

According to this approach, a series of questions are 
compiled to measure compliance with an existing enterprise 
policy, procedure, standard, or other regulation. 

10 8. Single Time Loss Algorithm 

Single Time IjOSS (STL) Is determined acordlng to this 
approach , where : 

STL = (Total asset value + Contingency 
Implementation costs + Data reconstruction costs) 
15 X Probability of Occurrence 

+ (Cost of one week delay) . 

Single Time Loss Is used as an Impact value measurement. 

20 9. Facilitated Risk Analysis Process (FRAP) 
This approach Includes : 

I. Defining the scope of the review; 

II. Assembling representatives for the FRAP process; 

III. Defining threats against data Integrity, 
25 confidentiality and availability; 

Iv. Creating a Priority Matrix based on degree of 

vulnerability and business Impact; 

The three deliverables Include Identification of risk, 
30 prioritization of risks, suggested controls for major 
risks. A list of 26 control grouping can be selected 
(e.g. backup, recovery plan, access control) and the 
approach allows project tracking and cross checking for 
verification purposes . 

35 

A possible Priority Matrix might be: 
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Risk 
No. 


Risk 


Type 


Priority 


Controls 


1 


Information accessed by 
unauthorized personnel 


INT 


B 


3, 5, 6, 11, 
12, 16 


2 


Unclear or non-existent 
verslonlng of the Information 


INT 


B 


9, 13, 26 


3 


Database corrupted by hardware 
failure, or Incorrect or bad 
software 


INT 


D 





This approach Involves analyzing one system, application, 
or segment of business operat:ion at one time. The 
possible effects of system failures, etc. , are measured 
5 against threats and vulnerabilities . Con-trols are then 
Identified to mitigate the threats . 

10 . Risk Assessment and Management 

In this approach, -threat Impact Is measured by Annualized 
10 Loss Es^ectancy of Exposure (ALE) . ALE Is measured based 
on Single Loss Expectancy (SLE) and Annualized Rate of 
Occurrence (ARO) . SLE Is defined as expected monetary 
loss for each occurrence of a threat event; ARO is defined 
as statistical rate of threat occurrence on a annual basis 
15 BIA Is measured based on Single Loss Expectancy (SLE) . 

Statistical Information of Annualized Rate of Occurrence 
(ARO) Is obtained at least on a yearly basis. 

20 11. Integrated Risk Management 
This approach includes : 

1. Separating Custodians and Users of Inf orxoatlon ; 

11. Defining t^he basic pre-recpilslte (e.g. roles and 
responsibility deflnlt:lon, data classification and 

25 Inventory control) ; and 

ill . Managing Risk in an integrated fashion . 

In this approach, information security encompasses the use 
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of physical and logical data access controls to ensure the 
proper use of data and to prohibit unauthorized or 
accidental modification, destruction, disclosure, loss, or 
access to automated assets. Risk Analysis identifies and 
5 assesses risks associated with corporate information 

assets and defines cost-effective approaches to managing 
such risks • 

This approach introduces the concept of custodian and user 
10 of information. It demonstrates that through risk 

assessment, business continuity and information security 
controls shall be implemented. Business continuity is 
teUcen out as a module, separate from typical risk 
assessment. The potential impact of systems is measured 
15 against the total project cost, financial impact, customer 
impact, regulatory/compliance impact. Alternatively, this 
impact can be measured against information classification 
and longest tolerable outage . 

20 Business Impact Loss is measured against tdLme sensitivity 
(Longest tolerable outage period during peak) , intangible 
loss (health and safety, customer satisfaction, 
embarrassment) and tangible loss (financial) . 

25 All existing risk assessment models, however, assume 

(whether explicitly or implicitly) that a competent cross- 
departmental team will be assembled to assess the risk. 
However, assessments are often actually performed by 
either by the IT technical support team or the business 

30 owner, hence resulting in incomplete understanding of the 
threats and available controls. When the responsibility 
for conducting the risk assessment become unclear, the 
results become unreliable. 

35 Further, when the magnitude of the risk assessment 

increases, it is common for assessors to compromise the 
assessment process . This is particularly so when it the 
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assessment: ±s quail t^a-blvely based. This compromise may be 
due to human factors and time constraints. 

SUMMARY OF THE INVENTION 
5 The present Invention provides , therefore , In a first 
broad aspect, a method for assessing risk within an 
organization , comprising : 

defining one or more zones, each of said one or 
more zones comprising an environment; 
10 Identifying one or more assets of said 

organization, each of said assets being located In a 
respective one of said zones; 

conducting a respective Impact assessment for 
each of said assets , each assessment comprising assessing 
15 the Impact of the loss of said respective asset; 

conducting for each of said zones a respective 
zone risk assessment, comprising assessing the risk level 
associated with placing a respective asset within said 
respective corresponding zone; 
20 conducting for each asset a respective asset risk 

assessment, comprising assessing the risk level associated 
with said respective asset Independent of the respective 
zone of said respective asset; and 

assessing risk on the basis of at least said 
25 Impact assessment, said zone risk assessments and said 
asset risk assessments . 

Thus, an asset can be anything of value. The method can 
therefore be used to produce as an output a risk 
30 assessment. When the final steps are performed by 
computer, the computer can output this assessment. 

Preferably the method Includes Identifying one or more 
asset custodians , each comprising a custodian of a 
35 respective asset, and Identifying one or more asset 

owners, each comprising an owner of a respective one or 
more of said assets . 
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A ciis1:od±an is typically some employee with care-taking 
responsibilities. In an IT environment, a custodian might 
be a Technical Management Team or a Project Management 
5 Team, an individual member of such teams; a custodian may 
be an employee who acts as a caretaker of an automated or 
manual file or database. An asset owner is typically 
(though not necessarily) the one who pays for the assets- 
it may in many cases be the owner of the business . 
10 Generally, however, it is the person with overall 

responsibility for defining the security policies and the 
security and system requirements of the asset, and who can 
approve the security control implementation plan on the 
asset. It may be an end-user. 

15 

PrefereQdly the method includes maintaining a register of 
said assets . Preferably said register includes the 
respective owner of each of said assets . 

20 Preferably the method includes maintaining a register of 
said zones . Preferably said register includes the 
respective custodian of each of said zones . 

In one embodiment, each of said assets is information 
25 related, such as materials and equipment that are used for 
data manipulation or storage . 

In this embodiment, each of said asset custodians is an 
information custodian, each comprising a custodian of a 
30 respective information storage device within said 
organization . 

Preferably the method includes defining at least four 
types of custodians: 1) physical and environment 
35 custodians, 2) network custodians, 3) software engineering 
custodians, and 4) MIS support custodians. 
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Preferably each of said respective zone assessment's Is 
conduci:ed by t:he respect^lve cust:odlan of said respective 
zone . 

Preferably each of said respective asset assessments is 
conduct:ed by the respective owner of said respective 
asset. 

Preferably the method Includes regarding the loss of an 
asset as equivalent to the loss of a system of which said 
asset is a part. 

Preferably the method includes determining a measured risk 
for each asset, said measured risk for a respective asset 
comprising the product of 1) an impact level determined in 
said impact assessment and 2) the maximum of an asset risk 
determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment. 

In another broad aspect, the present invention provides a 
risk management method, comprising: 

assessing risk according to the method described 
above ; and 

managing said risk. 

Preferably said managing of said risk comprises : 

determining the distribution of the number of 

assets as a function of associated measured risk; 

determining a maximum acceptable risk level; and 
applying one or more controls if any of said 

assets exceeds said maximum acceptable risk level . 

Preferably the acceptable risk level comprises the lower 
of the highest available measured risk or 100% . 

In another broad aspect, the invention provides an 
apparatus for assessing risk within an organization, 
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comprising : 

dat:a Input: means for lnput:'t±ng assei: Information 
int:o a regisi:er o£ asse'ts, each of said asset:s being an 
assei: of said organiza-bion , each of said asset:s being 
5 locat:ed in a respect:ive zone; 

da-ba storage for storing said register of assets, 
including for each of said assets said respective zone; 

means for receiving or storing a respective zone 
risk assessment for each of said zones, said respective 
10 zone risk assessment comprising an assessment of the risk 
level associated with placing a respective asset within 
said respective corresponding zone; 

means for receiving or storing a respective asset 
risk assessment for each asset, said respective asset risk 
15 assessment comprising an assessment of the risk level 

associated with said respective asset independent of the 
respective zone of said respective asset; 

means for receiving or storing a respective 
impact assessment for each of said assets, each assessment 
20 comprising assessing the impact of the loss of said 

respective asset, and for assessing risk on the basis of 
at least said impact assessment, said zone risk 
assessments and said asset risk assessments to thereby 
form a risk assessment; and 
25 output means for outputting said risk assessment. 

Of course, the means for receiving or storing a respective 
zone risk assessment, the means for receiving or storing a 
respective asset risk assessment and the means for 
30 receiving or storing a respective dLmpact assessment may be 
provided as a single integer (such as a data input or data 
storage means) . 

Typically these values will be prepared separately and 
35 input into the apparatus. However, optionally, the 

apparatus may include data processing means for forming 
the zone and asset risk assessments and the, again 
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optilonally, ^he Impact: assessment:, for deterrnxnlng or for 
assisting In -the de'ke]nnlnat:lon of -these factors . The 
factors would then be stored In the respective receiving 
or storing means . 

5 

Preferably the apparatus Is operable to associate with 
each of said assets an asset custodian, each comprising a 
custodian of a respective asset, and to associate with 
each of said assets at least one asset owner, each 
10 comprising an owner of a respective one or more of said 
assets . 

Preferably the register of assets Includes a respective 
owner of each of said assets. 

15 

Preferably the apparatus Includes data storage for storing 
a register of said zones . 

Preferably the zone register Includes data for associating 
20 a respective custodian with each of said zones. 

Preferably each of said assets Is Information related. 

Preferably each of said respective zone assessments Is 
25 conducted by the respective custodian of said respective 
zone, and prefereibly each of the respective asset 
assessments may be conducted by the respective owner of 
the respective asset. 

30 Preferably the apparatus Is operable to treat the loss of 
an asset as equivalent to the loss of a system of which 
said asset Is a part. 

Preferably the apparatus Is operable to determine a 
35 measured risk for each asset, said measured risk for a 
respective asset comprising the product of 1) an Impact 
level determined In said Impact assessment and 2) the 
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maximum of an asset: risk de'bermlned In said asset: risk 
assessmen't and an asset: risk det:ermlned In said zone risk 
assessment:. 

5 The Invention also provides computer readable media with 
software portions executable on a computer for performing 
the above mentioned methods . 

BRIEF DESCRIPTION OF THE DRAWINGS 
10 In order t:hat the present Invention may be more clearly 

ascertained, a preferred emboddLment will now be described, 
by way of example, with reference to the drawings. In 
which : 

Figure 1 Is a flow chart Illustrating the six 
15 main stages of the risk assessment method according to a 

preferred embodiment of the present Inventions- 
Figure 2 Is a schematic depiction of the 

relationship between different types of zones according to 

the method of figure 1; 
20 Figure 3 Is a schematic depiction of a plot of 

Number of Assets (N^) with a particular Measured Risk Level 

(MRL) against Measured Risk Level according to the method 

of figure 1 ; 

Figure 4A Is a view similar to that of figure 3, 
25 additionally showing today's "Safety Line"; 

Figure 4B Is a view similar to that of figure 4A, 
Indicating the possible deterioration of the distribution 
of figure 4A after a pre-defined periods- 
Figure 4C Is an alternative view to that of 
30 figure 4B, Indicating the possible evolution of the 

distribution after a pre-defined period provided that risk 
mitigation measures have been taken; 

Figure 5 Is thus a flow chart of the steps for 
the addition of a new system according to t:he method of 
35 figure 1; 

Figure 6 Is a flow chart of the steps for the 
upgrading of an existing system according to the method of 



A 
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figure 1 ; 

Figure 7 Is a flow chart: of "the si:eps for t;he 
removal of a sys'tem or an asse'b according -to "the metihod of 
figure 1 ; 

5 Figure 8 Is thus a flow chart of the steps for 

the upgrading of an existing Zone according to the method 
of figure 1 ; 

Figure 9 Is a flow chart of the steps for the 
removal of a Zone according to the method of figure 1; 
10 Figure 10 Is a flow chart of the steps for the 

addition of new threats and controls according to the 
method of figure 1; 

Figure 11 Is a flow chart of the steps taken 
after a major version freeze according to the method of 
1 5 figure 1 ; and 

Figure 12 Is a schematic view of a database 
design for use In Implementing the method of figure 1 . 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
20 A risk assessment method for assessing an organization's 
risks, according to a preferred embodiment of the present 
Invention, will now be described In detail. 

The method Includes establishing four criteria: 1) 
25 Asset/Information Classification, 2) Asset Inventory, 3) 
Roles and Responsibilities, and 4) Custodian and User 
Identification . 

The following assumptions are used: 
30 • Threats are specific and are associated with asset 
types ; 

• Likelihood (of a threat) can be based on demographlcal 
statistics ; and 

• Risk management Is a multl -decision process. 

35 

According to this embodiment, an ^^asset" Is defined as 
anything that has value to the organization and Is 
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±hf orma'blon relat:ed. Including mat:er±als and equlpmen'k 
t:ha't are used for dai:a manlpula-tlon or storage. 

The broad classifications of assets include 1) People, 2) 
5 Software, 3) Services, 4) Media, 5) Physical, 6) 
Information and 7) Operating Systems. Each asset 
classification is further categorized into respective 
asset types; the method includes registering all assets 
under one of the asset types, which include: 
10 1) People: contractors, internal staff or 

employees ; 

2) Software: customized application software, 
developed software, audit software. Off-the-shelf 
applications ; 
15 3) Services: third party facilities ; 

4) Media: paper documents, computer media; 

5) Physical: cryptographic facility, mobile 
devices, network devices, office equipment, servers, 
workstations, hardware management equipment, physical 

20 audit tools; 

6) Information: business information, 
configuration information , financial information , personal 
information ; and 

7) Operating Systems: O/S Non-Windows, O/S 

2 5 Windows . 

Thus, for example, the information classification refers 
to the different grading of information sensitivity in 
accordance to the compemy practices and culture. The 
30 method includes classifying all information under one of 
the information classification categories. 

All assets are registered with proper ownership. The 
asset owner is defined as one who pays for the asset. The 
35 Asset register is updated whenever there is any addition, 
modification and deletion to an asset. 
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The met:hod Is preferably conducbed by a cross functional 
team consls'blng of execu'txve management:. Information 
security team, technical management: t:eam, project 
management t:eam, business owners and audlliors . 

5 

The responsibilities of executive management are: 1) to 
set management Intent and business objectives with respect 
to Information security, 2) to set Impact loiss monetary 
scale, 3) to confirm the degree of assurance required for 
10 risk ml-tlgatlon, 4) "to review and approve risk assessment; 
and management: repor-ts, 5) t:o review and approve risk 
reduction measures, 6) t:o review and approve exception 
repor-ts, and 7) -to review control Implements. t:lon progress. 

15 The responslblll-tles of the Information Securl-ty Team are: 
1) -to review and agree on -threa-t frecjuency, 2) -to develop 
a baseline for Informa-tlon classlf Ica-tlon as corporate 
governance, 3) to maln-taln -threats and cont:rols database, 
4) -to review risk assessmen-t and managemen-b reports, 5) -to 

20 review risk reduction measures, and 6) to review con-trol 
Implementation progress . 

The responsibilities of the Technical Management Team are: 
1) to register the team assets Into the Asset Register, 2) 
25 to perform risk assessment on respec-tlve areas of 

responsibilities, 3) t:o review and propose effective 
countermeasures , and 4) -to follow-up on control 
Implemen-ta-tlon progress . 

30 The responslblll1:les of the Projec-t Management Team are: 

1) t:o regls-ter -the -team asse-ts In-to -the Asse-t Regls-ter, 2) 
to perform risk assessment on respectilve areas of 
responsibilities, 3) -to review and propose effective 
countermeasures, and 4) t:o follow-up on control 

35 implementa-tion progress. 



The responsibilities of t:he Business Owners are: 1) -to 
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register i:he asset:s lnt:o "bhe Asse^ Register, 2) -to perform 
risk assessment: on individual asset, 3) to review and 
propose effective countermeasures , and 4) to follow-up on 
control implementation progress. 

5 

The responsibilities of the Auditors are: 1) to review 
risk assessment and management reports, 2) to review 
exception reports, and 3) to review for irregular risk 
distribution patterns . 

10 

Each of these parties participate in the risk assessment 
according to the organization' s Information Security 
Management System (XSMS) . Each party thus has its roles 
and responsibilities properly defined. 

15 

According to the method, information custodians and 
owners, respectively, are identified. Based on the 
defined roles and responsibilities, custodians typically 
include the Technical Management Team and the Project 
20 Management Team; the owners include the business owners. 

A custodian is thus typically an employee that acts as a 
caretaker of an automated or manual file or database. The 
method defines four types of custodians, namely: 1) 
25 physical and environment custodian, 2) network custodian, 
3) software engineering custodian, and 4) MIS support 
custodian. 

Physical and environment custodians are those who take 
30 care of the physical well-being of the environmental zone. 
These generally refer to office administrators and 
physical security administrators . 

Network custodians are those taking care of the 
35 organization network zones. These generally refer to LAN 
and WAN administrators and network security 
administrators . 
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So£t:ware Englneerxng custodians are -bhose who develop and 
main'tain sof-tware applica-tlons £or tJie organlza'blon . 
These generally refer t:o soft:ware project managers and 
5 project team leads . 

MIS Support custodians are those who maintain the 
operations for the proper running of the systems. These 
generally refer to system administrators, database 
10 administrators and data center managers. 

The owner of the Information Is an Individual that has 
specified limited authority granted by the owner of the 
Information to view, change, add, disseminate or delete 
15 such Information. These Include business owners. Note 

that custodians may also own assets. In such a case, they 
may also be business owners . 

The method proceeds as a six stage process where 
custodians and owners are segregated from the beginning. 
Broadly speaking, the custodians perform zone assessments 
and the owners perform asset assessments. Independent 
assessments are collated and results are generated based 
on the assessments . 



Referring to figure 1, the six stages may be summarized as 
follows . 



Stage 


Summary 


1st 


Zone Registration (2) : all zones within the 
organization - whether real or virtual - are 
categorized and Identified. 


2nd 


Asset Registration (4) : all assets are categorized 
and Inventoried. 


3rd 


System Impact Assessment (6) : systems are measured 
based on total loss of confidentiality, integrity 
and availability. 



20 



25 
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4th 


Zone Risk Assessment (8a) : zones are measured 
against a set of security best practices . 
Asset Risk Assessment (8b) : Individual asset risk 
level Is measured against a set o£ security best 
practices . The measured risk of each Individual 
asset Is the product of the Impact level and the 
asset risk level. 


5th 


Risk Management (10) : assets that are overexposed 
and require some form of risk mitigation are 
Identified. Assessors select controls for risk 
mitigation and these selected controls are tracked 
accordingly . 


6th 


Project Tracking (12) : all security 
Implementations are tracked. 



FIRST STAGE: ZONE REGISTRATION (2) 

Theoretically, assessors should be ed>le to assess the risk 
based on the existing controls, but evidence has shown 
5 that - owing to factors such as job specialization and 
responsibilities, and cross departmental relationships - 
assessors are usually faced with the daunting task of 
assessing risk associated with matters of which they have 
no prior knowledge or familiarity. This Is prdLmarlly 
10 because risk assessment Is a multi-user decision process. 

Studies have also demonstrated that different parties 
should be Involved In securing any Infoxrmatlon asset. It 
Is a common practice that one party determines the 
15 environment, while the asset owner places their 
Information asset Into the environment. 

The present method employs a Zone concept to address this 
problem. A Zone Is defined as an environment built to 
20 contain assets. According to the method, all relevant 
Zones within the organization are registered. 

The method recognizes four Zones, namely: 1) Physical and 



- 22 - 



environmen'b Zone, 2) Ne'twork Zone, 3) Software Engineering 
Zone, and 4) MIS Support Zone. These, It will be noted, 
correspond to the custodians described above. 

5 A Physical and environment Zone Is an environment that Is 
used to protect physically the assets placed therewlthln. 
The custodians of this Zone are typically office 
administrators or physical security administrators . 

10 A Network Zone Is an environment that Is used to restrict 
access to the network to protect the accessibility of that 
asset. The custodians of this Zone are typically WAN 
administrators and network security administrators . 

15 A Software engineering Zone Is an environment that Is used 
to develop and maintain software for the organization. 
The custodians of this Zone are typically software project 
managers and project team leaders . 

An MIS Support Zone Is an environment that Is used to 
maintain the system to ensure the operablllty of the 
systems. The custodians of this Zone are typically system 
administrators, database administrators and data center 
managers . 

As most zone protection Is designed to be layered, the 
method employs zone Inheritance. Referring to figure 2, 
this means that controls Implemented In a perimeter zone 
(14) are Inherited by a more Inner zone (16) and similarly 
also Inherited by an Innermost trusted zone (18) . 
According to the method, zone Inheritance Is practised In 
the Physical and environment Zone and In the Network Zone. 

SECOND STAGE: ASSET REGISTRATION (4) 
35 In the Asset Registration stage (4) , assets are collated 

for risk assessment and management. The method mimics the 
real -world system modeling where services and system 



20 



25 



30 



I 



- 23 - 

concep'ts are lnt:roduced in 'this phase, and -thereby enhance 
t:he e£fect:xveness and efficiency In asse'b management: and 
maintenance . 

5 In this stage, according to the method a ^^service" is 

defined to be a combination of systems that is required to 
fulfill a business deliveiry, while a system" is defined 
to be a combination of components (defined as ^^assets") to 
realize a function. By means of this modeling, all assets 
10 (Including non-XT based assetis) are registered. Complex 
relationships between services, system and components can 
thus be expressively captured. 

The way these definitions Interact can be seen from the 
15 following simple examples. A Business- to-buslness (B2B) 
service (I.e. the ^^servlce") may consist of a web server 
(a ^^system") , an application server (a further ^^system") 
and a database server (a further system") . The web 
server consists of CPU hardware (an ^^asset" of 
20 classification ^^physical", type ^^hardware") , an operating 
system (an ^^asset" of classification ^^sof tware") , web 
hosting software (an ^^asset" of classification 
^^software") , information web pages (an ^^asset" of 
classification ^^information") and B2B functional 
25 specification document (an ^^asset" of classification 
"media") . 

Alternatively, a networking service (a "service") may 
consist of a firewall system (a "system") and a networking 

30 system (a further "system") . The Networking system may 

consist of a network switch (an "asset" of classification 
"physical") , network routers ("assets" also of 
classification "physical") , router firmware (an "asset" of 
classification "software") and a routing configuration (an 

35 "asset" of classification "Information") . 

As a further example, a departmental service (a "service") 
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zaay consist o£ several departmen-tal -teams (each a 
^^syst:em'') . Each -beam may comprise various appolntmen'ks 
(each an ^^asset" of classlflca-tion ^^people") . In anot:her 
example, a facllit:±es service (a ^^servlce") may consist: of 
5 an elect:rlcal system (a ^^system") and an air conditioning 
system (a further ^^system") . An electrical system may 
comprise an unlnterrup table power supply (an ^^asset" of 
classification ^^hardware") and electrical power (an 
^^asset" of classification ^^servlce") . 

10 

When systems are registered, relevant zones are also 
specified.^ This faclll'tates subsequent zone assessment. 
For example, a web server will ultimately be described as 
In a Physical Zone and a Network Zone, maintained by an 
15 operational and development team. 

However, assets that provide physical and network 
countermeasures will not be registered as having physical 
and network zones respectively. 

20 

According to the method, when assets are registered, they 
are specified according to their asset type . 

If the asset type Is an Information classification. It 
25 needs to be further defined according to the Information 
sensitivity classification. A system Inherits the 
sensitivity of the highest sensitivity Information stored 
within the system, and propagates to the rest of the 
assets that are non-lnf onaatlon based. In terms of the 
30 previous example of a web server. If the sensitivity 

marking of the Information Is confidential, then the rest 
of the system Including the CPU hardware and web hosting 
software will Inherit the confidential marking. 

35 THIRD STAGE: SYSTEM IMPACT ASSESSMENT (6) 

Impact assessment Is a process of measuring the total 
Impact In the event of a total single asset loss. 
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Independent: of oiiher losses. As defined earlier, 
according "bo 'the mel^hod It: Is assumed 'bha't any componen't 
failure would lead to a total failure of the system. 
Hence, the method conducts the Impact assessment at the 
5 system level. However, a failure In the system may not 
render the entire service to fall . 

The method - during this stage - takes into consideration 
five criteria: 1) Loss of Opportunity, 2) Loss of 
10 Productivity, 3) Loss due to Regulatory Breaches, 4) Cost 
of System Investment, and 5) Information Classification 
Rating . 

Further, in the course of impact assessment, the method 
15 always assumes the worst case scenario. 

The Loss of Opportunity refers to the loss of monetary 
gain during the period of system unavailability as well as 
the potential future loss . 

20 

The Loss of Productivity is the loss of efficiency of the 
users and the cost of recovery within the organization 
during the period of system unavailability. 

25 The Loss due to Regulatozry Breaches is the. cost of 

contractual or/and legislation payout due to breaches in 
service level agreement or law. 

The Cost Of System Investment is the cost of rebuilding an 
30 identical system. 

Information Classification Rating refers to the highest 
aggregate information classification stored in the system. 

35 Loss of Opportunity, Loss of Productivity, Loss due to 
Regulatory Breaches and Cost of System Invest:ment are 
calculated as monetary indices . An example of such a 
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mone'tary Index is as follows : 



Monet:ary value x 


Mone'tary Index 


X < $10,000 


1 


$10,000 < X < $20,000 


2 


$20,000 < X < $40,000 


3 


$40,000 < X < $80,000 


4 


$80,000 < X < $160,000 


5 


$160,000 < X < $320,000 


6 


$320,000 < X < $640,000 


7 


$640,000 < X < $1,280,000 


8 


$1,280,000 < X < $2,560,000 


9 


X > $2,560,000 


10 



The monet:ax:y scale will differ from one organ±zat:±on t^o 
5 anot:her. The highest: monet;azry Index value Is assigned t.o 
-the -bo-tal valuat^lon loss of -the ISMS scope. Each scale 
Incremen't Is t:he mullilple of -two of -the previous, st:art;lng 
from a figure defined by t:he organlza'blon. 

10 Each criterion Is weighted according t^o t:he organlza'blon 
objec-tlves and goals, while the summation of the weights 
should add up to 100% . This reflects the relative 
Importance of the five criteria. The weights are defined 
by the management based on business focus and management 

1 5 Intent . 

Each system Is assessed based on these criteria, and the 
total Impact valuation Is computed using the formula: 

100 %xy* (criterion value,- x criterion weighty) 

Total Impact = —7 — ^ =■ — 

X(max criterion value^ x max criterion welght^^ 

20 

Assets under the system Inherit the Impact valuation of 
the system. 

The following table defines the criteria that are 
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considered in rat:±ng system xmpact that associated with 
different components of the organization. This Is to 
ensure consistency among those who Input the system Impact 
weighting . 



CRITERION 


IT SYSTEMS 


NON-IT SYSTEMS 


PEOPLE 


liOSS of 

Pr oduc tlvl ty 


Amount due to 
users' 7 day 
pr oduc ti vi ty 
loss ; 

Cost of system 
recovery . 


Loss due to 7 
day productivity 
loss ; 

Cost of system 
recovery . 


Loss due to 
inability to 
perform work for 
7 days ; 

Amount Incurred 
due to idle 
people . 


Loss of 
Opportunity 


Income loss for 
7 days; 
Potential 
future business 
loss for Y 
years ; 

Cost of damage 
control . 


Income loss for 7 days; 
Potential future business loss; 
Cost of damage control . 


Cost of 

System 

Investment 


Development 
cost; 

Hardware cos t ; 
Software cost; 
Information 
cost. 


Hardware cos t ; 
Software cost. 


Hiring 
cost; 
Training 
cost. 


Loss due to 
Regulatory 

Breaches 


Amount compensated due to failure to meet 
regulatory requirements; 

Amount due to legal implication. 



Y Is detexnnlned by management; It depends on the service 
or product of the organization 

FOURTH STAGE: ZONE ASSESSMENT (8a) 

In the Zone Assessment Stage (8a) , the first of the two 
parts of the Fourth Stage, an operating environment is 
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evalua-ted based on -the number o£ securl-ty cont:rols 
lmplemenl:ed . The object: of tJie assessment: Is -to assess 
Uie risk level when an asset: Is placed wl-thin t:he 
environment. As mentioned above, t:he four Zone categories 
5 are Physical and environmental. Network, Software 

Engineering and MIS Support. The related threats are 
linked automatically based on the nature of the zone 
category; this greatly reduces the assessor's overhead in 
having to individually review the suitability of each 
10 t^hreat in relation to the zone. 

Each threat is associated with a likelihood of threat 
occurrence, based on the criteria of demographic 
statistics, nature of business activities and organization 
15 culture. Likelihood is assigned a percentage probability: 



Likelihood of Occurrence 


Percentage 


Not i^pliccddle 


0% 


Rarely 


20% 


Unlikely 


40% 


Possible 


60% 


Highly Possible 


80% 


Def ini tely 


100% 



Each threat is associated with a list of security measures 
that can be adopted to manage risk . These measures are 
20 further weighted in order to differentiate between the 

strengths of different security controls. Generally, the 
effectiveness of a control is computed according to tJiis 
method as follows: 



Control Type 


Control Effectiveness 


Guidelines, Work Instruction 


20% 


Policy and Standards 


40% 


Procedure and Forms 


50% 


Technical Implementation 


60% - 100% 
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The degree of risk associat:ed wi-bh each Zone ±s det:ermlned 
on -the basis of -bhe niamber of securlt:y solu'tlons 
Implemen'bed against: i:he t:hreat:. More t;han one threat: may 

y (si - X sw - J 
Z(sWi) 

5 

be assocla'bed -bo a zone, so t:he met:hod Includes assuming 
t:hat: 'the weakest security link Is the threat having the 
highest risk exposure. Thus: 

10 where: ZRIj ^ Zone Risk Level, 

SI = Solution Implementation, 

SW = Solution Weight, and 

liO = Iilkellhood of Occurrence 

15 According to the asset sensitivity marking, baseline 

controls are reflected as mandatory, so assessors are able 
to differentiate between mandatory and optional controls, 
resulting in clearer objective in reducing risks. 

20 For the sake of efficiency, the method Includes allowing 
assessors to apply a particular zone assessment to the 
relevant zone that possess identical controls, thereby 
streamlining the effort required by the assessor. 

25 FOURTH STAGE: ASSET RISK ASSESSMENT (8b) 

According to the method, in the Asset Risk Assessment 
Stage (8b) an asset is evaluated based on the number of 
security controls implemented. The objective of the 
assessment is to assess the risk level of an asset, 

30 Independent of the zones. As each asset has an associated 
asset type and asset type has its related threats, each 
asset is automatically link to its associated threats; 
this reduces the assessor' s overhead in having to 
individually review the suitability of each threat in 
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relat:xon -bo -the asset:. 

As above, each -threat: is assocla-ted with a likelihood of 
threat occurrence, based on the criteria of demographic 
5 statistics, nature of business activities and organization 
culture and expressed as a probability. 

As in Zone Risk Assessment (see cd^ove) , each threat in 
Asset Risk Assessment has a list of security measures that 
10 can be adopted to manage risk. These measures are further 
weighted so as -bo differentiate the strengths of different 
security controls . The effectiveness of a control is 
computed as discussed above. 

15 Based on t:he number of security solutions implemented 
against the threat, the degree of risk associated with 
each asset: is measured in a manner comparable t:o that 
described above under ^^Zone Risk Assessment". Hence, 
Asset Risk Level is determined as follows : 

2^=lSRX(l-^^^^^—r x-^xLO)xlOO% 

where: ARIj = Asset Risk Level, 

SI = Solution Implementation, 
SW = Solution Weight, and 
LO = Likelihood of Occurrence 

According to the asset sensitivity marking, baseline 
controls are reflected as mandatory, so assessors are able 
to dif ferentiat:e between mandatory and optional controls, 
resulting in clearer objectives in reducing risks . 

In order to improve on the efficiency, the method also 
allows assessors to apply a particular asset assessment ' to 
relevant asset thai: possess identical controls . 
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Each asset: ±s assessed based on t:he i:ot:al impaci: and i:he 
risk level using the formula: 

Measured Risk = Total Impact x MAX(ARL, ZRIj) 

5 FIFTH STAGE: RISK MANAGEMENT (10) 

To date, there are no fixed approaches to risk management 
and many organizations depend heavily on Management to 
provide some indication of how risk should be managed. 
However, Management may not know how to dLmprove their 
10 organization' s Information Security Management System or 

ISMS, and in fact require guidance in making a decision as 
to how to manage risk. Furthermore, no prior art risk 
management model possesses a continual improvement 
feature . 

15 

The method includes the six sigma concept for risk 
management processes. However, it should be noted that 
the method only employs certain parts of the six sigma 
concept and is somewhat modified. By using this approach, 
20 the method can be used to assist the organization in 

identifying the potential high risk assets that require 
immediate attention, hence maintaining the security 
effectiveness of the organization over time. 

25 Thus, according to the method, all assets are tabulated 
against their ^teasured Risk Level. The Number of Assets 
(Na) with any particular Measured Risk Level (MRL) is 
plotted against Measured Risk Level; this is shown 
schematically in figure 3. It will be appreciated that it 

30 may be necessary to group ranges of values of Na in 

suitably sized bins. The measured Risk distribution will 
be a bell shaped curve as it is two-dimensional (i.e. 
Impact Level, Asset/Zone Risk Level) . 

35 Figure 4A is another schematic representation of Na versus 
MRL. Vertical line (20) is the today's ^^Safety Line", 
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which marks -the highest: available Measured Risk or 100%, 
whichever Is lower. The met:hod Includes assuming "that, 
assents available -today are su£f Iclen-tly protected. 

5 Owing to technological and other advancements, some assets 
may become exposed owing to control Insufficiency and 
Ineffectiveness. Referring to figure 4B, assets will tend 
to Increase In MRL until the original distribution (22) 
shifts right (I.e. towards higher values of MRL) to new 
10 distribution (24) . Hence, asseiis that: are near or at 
today' s Safety Line (20) may no longer be safe after a 
pre-defined period and then be on the high side (26) of 
today' s Safety Line (20) . 

Thus, asset:s that are near or at today's Safety Line (20), 
because they may not be safe after a defined period, 
should be reviewed. More cont:rols should be applied 
accordingly so that the risk exposure Is addressed 
currently and for the defined period, so that instead of 
the distribution becoming new distribution (24) of figure 
4B, it becomes, say, a modified distribution (28) as shown 
in figure 4C. The modified distribution (28) may differ 
from the original distribution (22) , but it has the 
desired property that all assets are adequately protected. 

Hence, based on standard Six Sigma concept calculations of 
a 1.5a shift to the right, the threshold marks the 
recommended degree of assurance. Assets that are above 
the degree of assurance are highlighted for risk 
mitigation. A range of controls, zone or/and asset based, 
for mitigation purposes are made available for 
lmplement:atlon scheduling . 

According to the method. It: Is recognized that the 
35 following parameters may change over time: 1) 

Effectiveness of Controls, 2) Threat Frecpiency, 3) New 
Controls, and 4) New Threats. 
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Effectiveness o£ Cont:rols may change owing ^to human 
xnt:ell±gence advances . 

5 Threat Frequency may change owing to changes in political 
or social stability in one or more particular areas . 

New Controls may change owing to new advancement of 
technology or methods of risk mitigation. 

10 

New Threats may change owing to the introduction of new 
technology that affects the current information security 
of the organization. 

15 Hence, continual risk assessment is conducted - according 
to the present method - at least on a yearly basis to 
maintain the effectiveness of the XSMS . 

SIXTH STAGE: PROJECT TRACKING (12) 
20 Risk assessment does not stop at selecting controls for 

risk mitigation, but rather only after controls have been 
implemented. Hence, each control scheduled for 
implementation during the risk management phase is 
tracked . 

25 

It should be noted that the present method treats planned 
controls as unimplemented controls. Only completed and 
verified controls are regarded as implemented controls . 

30 During this stage, infozrmation (such as the person 

responsible for control implementation, the implementation 
method, the cost and effort of implementation, estimated 
and actual implementation start and end date) is captured. 

35 

EVENT FLOW 

The method of this embodiment is event driven, and an 
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effect on the knowledge base or the asset registry will 
result In a change In result computed according to the 
method. 

5 The method will have an Impact (that Is, performs a role) 
under the following conditions: 

1) Addition of a new System; 

2) Upgrade of an existing System ; 

3) Removal of a System or an Asset; 
10 4) Addition of a new Zone; 

5) Upgrade of an existing Zone; 

6) Removal of a Zone; 

7) Addition to the database of New Threats and Controls; 
and 

15 8) Versioning. 

1 . Addition of a New System 

New Systems are proposed as part of a new project to be 
added to the environment. 

20 

Such new Systems are incorporated into the present method 
for risk assessment in two phases : pre-tender system 
planning and post-tender system planning. 

25 During the pre- tender system planning, the owner-to-be is 
unlikely to know what the detailed assets will be. Hence, 
risk assessment is done at the system level by means of a 
questionnaire. Based on the questionnaire, the related 
threats and mandatory controls corresponding to the 

30 system's information class is then displayed for the 
owner- to-be . 

Once the system configuration is fixed, the pre-tender 
system planning information is converted into post tender 
35 system planning information. The system is marked as non- 
production so that the computation will be kept separate 
from actual systems within the environment. Users verify 
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Uie assessment: input: again -to ensure dat:a validi'ty. 

This is done t:o ensure t:ha't new sys'bems can be planned 
properly and ensuring that the system security readiness 
5 is adequate when launched. 

Figure 5 is thus a flow chart of the steps - according to 
the present method - for the addition of a new system. 

10 2. Upgrade of an Existing system 

When existing systems are being re-used as part of a new 
service launch, new assets are usually added to an 
exi s ting sy s tem . 

15 All existing systems being considered by the present 

method will be affected. The relevant existing system is 
replicated accordingly and treated as a planned system so 
that it does not corrupt the existing system 
configuration. The replicated system, is linked to the 

20 additional assets for risk assessment. Once the 

evaluation has been completed, the replicated system 
replaces the existing system in the database. 

There is no planned assets feature because of the 
25 potential complexity and integrity of the input; thus, the 
risk of data corruption is minimized. 

Figure 6 is a flow chart of the steps, according to the 
present method, for the upgrading of an existing system. 

30 

3 . Removal of a System or an Asset 

An existing system or asset may be removed owing to 
obsolescence or to wear and tear. 

35 No system or asset other than the removed system or asset 
is affected. However, the overall risk management 
statistics may change owing to the removal. Thus, as each 
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asset: con'brlbu'tes t^o -the overall risk management: result:s, 
a review o£ t:he risk management: resul'b and £urt:her risk 
reduct:lon may be required. 

5 Figure 7 Is a flow chart of the steps - according to the 
present method - for the removal of a system or an asset. 

4 . Addition of a Zone 

A new Zone may be proposed as part of the new environment. 
10 There Is no effect on any asset until an asset Is assigned 
to the new Zone, as a Zone Is an environment and as long 
as the environment does not contain any asset, there are 
no risks Involved. 

15 5. Upgrade of an Existing Zone 

However, If an existing Zone Is upgraded (owing possibly 
to renovation or Insufficiency of existing controls) , 
systems that are within the upgraded Zone will be 
affected. This Is because systems that are within the 

20 upgraded Zone automatically Inherit t:he controls 
Implemented within the Zone. 

Figure 8 Is thus a flow chart of the steps - according to 
the present method - for the upgrading of an existing 
25 Zone. 

6. Removal of a Zone 

An existing Zone may be removed owing to, for example, a 
location shift. Systems that are within the Zone will be 
30 affected, as such systems will no longer have an 

environment to operate In. Hence, the method Includes 
relocating such systems to another Zone for subsequent 
operations . 



35 Thus, figure 9 Is a flow chart of the steps - according to 
the present method - for the removal of a Zone. 



- 37 - 

7 . Addl-bion of New Threat:s and Con-trols 

Wien new ^threats and cont:rols are added -bo an 
organlza'txon' s dat.abase (maln'taxned for 'bhe purpose of 
Implemen'blng 'the method of t:h±s embodiment) , only new 
5 assets regxstiered subsequent:ly wxll be affect^ed. 

Any Implications on existing assets will only be 
evaluat:ed, according to the present method^ after a major 
version freeze Initiated by the administrator, as It Is 

10 Impractical to have assessors re-evaluate the assets under 
new threats and controls each time there Is an update. It 
Is more practical for the re-assessment to take place 
every version cut, which Is recommended to be at least 
once a year. The new assets are affected because they 

15 have been newly added and, according to security best 

practice. It Is Important to assess the system using the 
most recent available threats and solutions. 

Figure 10 Is a flow chart of the steps - according to the 
20 present method - for the addition of new threats and 
controls . 

8. Effects After a Major Version Freeze 

An Administrator may Initiate a major version freeze to 
25 the risk assessment database (such as on a yearly basis) . 
All existing assets are reevaluated In the light of the 
most current threats and controls . The new risk 
management threshold Is then recalculated. 

30 The present method Is a continual assessment methodology 
as threats and controls changes over time. It Is thus 
critical to ensure that assessors perform risk assessment 
on a regular basis on the existing assets . 



35 Figure 11 Is a flow chart of the steps - according to the 
present method - taken after a major version freeze. 
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IMPLEMENTATION DETAILS 

The present method is designed to be consistent with 
BS7799/IS017799 ISMS. Using BS7799 control reference 
5 numbers, the method splits the controls into two 
categories, infrastructure and specific. 

Infrastructure controls are fundauaental controls required 
for setting up an ISMS . The following controls are 
10 considered as fundamental. 



BS7799 
Control 
Reference No. 


Control Description 


4.1.1.1 


Information security policy document 


4.1.1.2 


Policy Review and evaluation 


4.2.1.1 


Management information security forum 


4.2.1.2 


Information security co-ordination 


4.2.1.3 


Allocation of information security 
responsibilities 


4.2.1.4 


Authorization process for information 
processing facilities 


4.2.1.5 


Specialist information security advice 


4.2.1.6 


Co-operation between organizations 


4.2.1.7 


Independent review of information security 


4.2.2.1 


Identification or risk from third party 


4.2.2.2 


Security requirements in third party 

contracts 


4.3.1.1 


Inventory of asset 


4.3.2.1 


Classification guidelines 


4.3.2.2 


Information labelling and handling 


4.4.1.1 


Including security in job responsibilities 


4.4.3.1 


Reporting security incidents 


4.4.3.2 


Reporting security weaknesses 


4.4.3.4 


Learning from incidents 


4.4.3.5 


Disciplinary process 


4.6.1.3 


Incident management procedures 
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BS7799 
Control 
Reference No . 


Control Description 


4.6.6.3 


In£ox:mat±on handling procedures 


4.9.1.1 


Business continuity management process 


4.10.1.1 


Identification of applicable legislation 


4.10.1.2 


Intellectual property rights (IPR) 
Procedures 


4.10.1.3 


Safeguarding of organizational records 

Framework 


4.10.1.4 


Data protection and privacy of personal 
information Controls 


4.10.1.5 


Prevention of misuse of information 
processing facilities 


4.10.1.6 


Regulation of cryptographic controls 


4.10.1,7 


Collection of evidence 


4.10.2.1 


Cos^liance with security policy 


4,10.3.1 


System audit controls 



Specific controls are controls that are selectable as part 
of the risk assessment management process. Specific 
controls are then divided into zone controls and asset 
5 controls , 



A Zone control is defined as a <Security Control> applied 
to a <zone> to protect an <asset type>. 



BS7799 
Control 
Reference No. 


Control Description 


4.2.3.2 


Security conpliance of oursourced service 
provider 


4.2.3.3 


Evaluation of outpowered service provider 


4.4.1.5 


Identification of sensitive position 


4.4.1.6 


Verification of computing facilities use 


4.4.2.2 


Training for job competency 


4.4.2.3 


Personnel safety training 
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BS7799 
Control 
Reference No . 


Con'trol Descrxp-tion 


4.4.3.3 


Reporting software malfunctions 


4.4.4.1 


Responding to bomb and fire threats 


4.5.1.1 


Physical security perimeter 


4.5.1.2 


Physical entry controls 


4.5.1.3 


Securing offices, rooms and facilities 


4.5.1.4 


Working In secure areas 


4.5.1.5 


Isolated delivery and loading areas 


4,5.2.1 


Equipment siting and protection 


4.5.2.2 


Power supplies 


4.5,2.3 


Cabling security 


4.5.2.6 


Secure disposal or re-use of equipment 


4.5.3.1 


Clear desk and clear screen policy 


4.5.3.2 


Removal of property 


4.6.1.1 


Docvimented operating procedures 


4.6.1.2 


Operational change control 


4.6.1.4 


Segregation of duties 


4.6.2.1 


Capacity planning 


4,6.3.1 


Controls against malicious software 


4.6.4.2 


Operator logs 


4.6.4.3 


Fault logging 


4.6.5.1 


Network controls 


4.6.6.1 


Management of removable computer media 


4.6.6.2 


Disposal of media 


4.6.6.5 


Verification of Media 


4.6.7.2 


Security of media in transit 


4.6.7.3 


Electronic Commerce Security 


4.6.7.4 


Security of electronic mail 


4.6.7.5 


Security of electronic office systems 


4.6.7.7 


Other forms of information exchange 


4.7.1.1 


Access control policy 


4.7.1.2 


Access control based on segregation of 
duties 


4.7.3.1 


Password use 
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BS7799 
Control 
Reference No . 


Con-brol Descrlp'tion 


4.7.4.1 


Policy on use of network services 


4.7.4.2 


Enforced pat^h 


4.7.4.3 


User authentication for external 
connections 


4.7.4.4 


Node authentication 


4.7.4.5 


Remote diagnostic port protection 


4.7.4.6 


Segregation in networks 


4.7.4.7 


Network connection control 


4.7.4.8 


Network routing control 


4,7.4.9 


Security of network services 


4.7,5.1 


Automatic terminal identification 


4.7.5.2 


Terminal log-on procedures 


4.7.5.5 


Use of system utilities 


4.7.6.1 


Information access restriction 


4.7.7.1 


Event logging 


4.7.7.2 


Monitoring system use 


4.7.7.3 


Clock synchronization 


4.8.1.1 


Security requirements analysis and 
specification 


4.8.3.1 


Policy on the use of cryptographic controls 


4,8.4.1 


Control of operational software 


4.8.5.1 


Change control procedures 


4.8.5.2 


Technical review of operating system 
changes 


4.8.5.3 


Restrictions on changes to software 
packages 


4.8.5.4 


Covert channels and Trojan code 


4.10.2.2 


Technical compliance checking 



Each asset control is defined as a <Securlty Control> 
applied to the <asset type>. 
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BS7799 
Control 
Reference No . 


Control Descrxptxon 


4.2.3.1 


Security req[ulrements in outsourcing 
contracts 


4.2.3.2 


Security compliance of outsourced service 
provider 


4.2.3.3 


Evaluation of outsourced service provider 


4.4.1.2 


Personnel screening and policy 


4.4.1.3 


Confidentiality agreements 


4.4.1.4 


Terms and conditions of exnployment 


4.4.1.5 


Identification of sensitive position 


4.4.1.6 


Verification of computing facilities use 


4.4.2.1 


Information security education and 
training 


4.4.2.2 


Training for job competency 


4.4.2.3 


Personnel safety training 


4.5.2.4 


Equipment maintenance 


4.5.2.5 


Security of equipment off-premises 


4.6.1.5 


Separation of development and operational 
facilities 


4.6.1.6 


External facilities management 


4.6.1.7 


Review of operational system 


4.6.2.2 


System acceptance 


4.6.4.1 


Information back-up 


4.6.6.1 


Management of removable computer media 


4.6.6.2 


Disposal of media 


4.6.6.4 


Security of system documentation 


4.6.7.1 


Information and software exchange 
agreements 


4.6.7.2 


Security of media in transit 


4.6.7.3 


Electronic commerce security 


4.6.7.6 


Publicly availeddle systems 


4.7.2.1 


User registration 


4.7.2.2 


Privilege management 


4.7.2.3 


User password management 
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BS7799 
Control 
Reference No . 


Con-trol Description 


4.7.2.4 


Review of user access rights 


4.7.3.1 


Password use 


4.7.3.2 


Unattended user equipment 


4.7.5.1 


Automatic terminal Identification 


4.7.5.3 


User Identification and authentication 


4.7.5.4 


Password management system 


4,7.5.6 


Duress alarm to safeguard users 


4.7.5.7 


Terminal time-out 


4.7.5.8 


Limitation of connection time 


4.7.5.9 


Control of Input/output device 


4.7.6.2 


Sensitive system Isolation 


4.7.8.1 


Mobile computing 


4.7.8.2 


Teleworklng 


4.8.1,2 


Periodic review of security requirements 


4.8.2.1 


Input data validation 


4.8.2.2 


Control of Internal processing 


4.8.2.3 


Message authentication 


4.8.2.4 


Output data validation 


4.8.3.2 


Encryption 


4.8.3.3 


Digital signatures 


4.8.3.4 


Non-repudiation services 


4.8.3.5 


Key management 


4.8.4.2 


Protection of system test data 


4.8.4.3 


Access control to program source library 


4.8.5.5 


Outsourced software development 


4.8.5.6 


Software maintenance 


4,8.5.7 


Assurance in software development 


4.10.2.2 


Technical compliance testing 


4.10.3.2 


Protection of system audit tools 



To employ the present method, a computer system with 
associated database (which may be distributed) is 
employed; the database has two parts: security knowledge 
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base and operai::±on ln£onaat:±on . The securli^y knowledge 
base con-tains -bhe da^baset: for the supply of t:hreat:s and 
con-trols to t:he regis-tered Information asse-ts . The 
opera-tion inf orma-tion refers to the registered assets and 
5 the related information that concerns the security of the 
assets . 

The security knowledge base contains information about the 
asset classification types, the zone threats, asset 
10 threats and security controls. The security knowledge 
base also contains the linkage between asset 
classification types and threats and the linkage between 
threats and security controls . 

15 The operation information contains information about the 
asset registry, its impact assessment, the zone threats 
and its related implemented controls, the asset threats 
and its related implemented controls , the risk management 
controls and the implementation schedule. 

20 

The database design is shown schematically in figure 12 : 
the security knowledge base is stored in the databases on 
the left in this figure, operation information in the 
databases on the right. 

25 

As the present method employs continual assessment, its 
effectiveness relies on the security knowledge base 
update. On a regular basis, both new and modified threats 
and the related controls are updated to the security 
30 knowledge base, which in turn updates the operation 
information . 

The data in this database is highly sensitive, so it is 
important that the organization have full ownership as 
35 well as access control and transmission security. Access 
control helps to ensure user accountability, and also 
restricts information access, according to a user's access 
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rlghiis . Transmission security helps to prevent 
eavesdropping of sensitive Information. 

ACCESS CONTROL 

5 Access control Is used to prevent accidental modification 
of Information and unauthorized user from viewing 
sensitive Information . 

Workgroups are created with a set of privileges dictating 
10 the use of system resources. Each user Is assigned with a 
workgroup. Within the workgroup, users trust each other 
and have full control over each other's Information. No 
Information can be shard between workgroups. 

15 TRANSMISSION SECURITY 

Secure Socket Layer (SSL) Is used to secure transmissions 
In Infozrmatlon exchange between one or more browsers and a 
central server used to Implement the method. 



20 



GLOSSARY 


TERM 


DESCRIPTION 


Infrastructure 
Controls 


Controls that forms the foundation for 
building and maintaining the ISMS . 


Zone 


An asset custodian who has the 
responsibility to set up and maintain the 
environment, or provide the service for 
the asset. 


Service 


• A service Is viewed as a business 
delivery to either an Internal or 
external customer. 

• Provided by one or more systems . 


System 


• A system Is viewed as a data processing 
machine (Information processing) or as a 
functional responsibility (people) • 

• Put together by one or more assets 
Including hardware, software and 
Information . 
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TEBM 


DESCRXPTION 




• Usually performs more t:han one -task/ 
responslb±l±i:y . 


Asse^ 


• Any-khing 1:hat: ±s essent:lal for "bhe 
£ormai:ion and working cond±t:lon of a 
system. 

• It: has value to an organization. 

• It performs a specific task/ 
responsibility . 

• An asset is grouped into seven broad 
asset classifications — Information, 
People, Software, Service, Media, 
Physical and Operating Systems . 


Zone Ovmer 


• Oversees the day-to-day operations and 
maintenance of the zone and is 
accountable for the service provided by 
the zone . 

• Has overall responsibility for defining 
the security policies, recommending, 
implementing security controls to ensure 
that the zone is suitably protected from 
security threats . 

• May approve the security control 
implementation plan. 


Zone Manager 


• The person is the superior of the zone 
owner . 

• Is at least of managerial level . 

• Approves the security policies and 
security control plans (including 

budget) . 


Asse^ Owner 


• Has overall responsibility for defining 
the security policies and the security 
and system requirements of the asset. 

• Can approve the security control 
implementation plan on the asset. 

• May be the end-user. 
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TERM 


DESCRIPTION 


Asset: Manager 


• The superior of the asset owner. 

• Of at least managerial level . 

• Improves the security policies and 
security control plans (Including 
budget) . 


MIS Suppor-b 
Zone 


• The team taking care of the day-to-day 
operations , maintenance and enhancement 
of the Information processing 
facilities . 

• Includes the MIS support for system, 
database, and operation. 


Ne-bwork Zone 


• The network environment to restrict 

accessibility from or to a system. 


Physical & 

Envxronmen'tal 

Zone 


The physical and environmental setup that 
Is available for housing an asset. 


Software 

Engineering 

Zone 


• The software development team that 
primes the development. 

• They manage the project and use their 
software development methodologies . 


Funct:lon 


• The functional tesua that the zone owner 
belongs to . 

• May be a subset of a department. 

• Has the same functional area of 
responsibilities In a service. 


Workgroup 


• Provides a service for the assets . 

• May comprise one Function but usually 
comprises several . 


Impact 
Assessment: 


• Impact assessment Is a measure of Impact 
a system has on a service In the event 
of system failure. 

• It Is measured In two dimensions: 1) 
viewed from a management standpoint 
(Management Intent) , and 2) viewed from 
a system standpoint (Impact Value) 
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TERM 


DESCRIPTION 




• Impact: Is calcula'ted based on per 
Incldeni:/ loss /compromise . 


Managemen't 
Int:en^ 


• Comprises a set: o£ Impact criteria: Loss 
of Productivity, Loss of Opportunity, 
Loss Due to Regulatory Breach, Cost of 
System Investment, and Information 
Classification • 

• A percentage Is assigned by management 
to each criterion based on Its relative 
Importance to the organization. 


Impac-b Value 


• Comprises the same set of dLmpact 
criteria as management Intent, except 
^Information Classification' . 

• Indicates the financial loss to each 
Impact criterion In an event of loss of 
confidentiality. Integrity or system 
availability . 


Threat; 


• Has the potential to cause an unwanted 
Incident by exploiting vulnerability. 

• May result In harm to an asset. 

• Usually has the following: a catalyst 
(or tool) to facilitate the 
exploitation, a motivation for the 
exploitation and an outcome due to the 
exploitation . 


Likelihood 


• The probability of the threat happening, 
determined from national /International 
values/statistics (so may vary from 
location to location) . 

• Determined without any controls 
consideration . 

• Since likelihood direct affects risk 
level, the likelihood for each threat Is 
estetbllshed by management before risk 
assessment Is performed. 
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CONCLUSION 

The me'thod of performing risk assessmen^t described above 
Is 'thus a cpiantl'ta'tlve risk assessment: approach. The 
compliance or advant;ages of -this me'thod are as follows: 



QUANTITATIVE ADVANTAGE 


PRESENT METHOD COMPIilANCE 


Results are subs tan t:lally 
based on Independently 
objective processes and 
metrics . 


All components are based on 
mathematical computation . 


Great effort: put: lnt:o 
asset value det:ermlnat:lon 
and risk mit^iga-tion . 


Employs rich knowledge 
dat:abase for risk mi'tiga'tion 
and includes a mechanism for 
valuing asset: impact:. 


Includes a cost:/benef it 
assessment:. 


Provides a range of measures 
for users "to select: t:o 
mit:igat:e risk. 


Result:s can be e^^ressed 
in management- specific 
language . 


Can produce report:s based on 
st:at:i stoical computet:ion of 
degree of control 
implement:ation . 




QUANTITATIVE DISADVANTAGE 


PRESENT METHOD ADVANTAGE 


Calculat^lons can be 
complex . 


Mathematical computations can 
be performed behind the 
scene, so users can 
concentrate on risk 
assessment. 


To works well mus't be used 
wi-th a recognized 
au-tomated t:ool and 

associated knowledge base. 


Comprises an autemated tool 
wit:h associated knowledge 
base . 


Requires large amount:s of 
prepara'tory work. 


Provides a range of solut:ion 
for the users t:o select: t:o 
mit:igat:e t:he risk. 


Generally not: presented on 
a personal level. 


Divides the assessment: into 
custodians and owners; each 
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xs presented on a personal 
level . 


Par'ticlpan'ts cannot: be 
easily coached tJirough t:he 
process . 


Should allow ready t:raln±ng 
of part:±c±pant.s xn risk 
assessmen't . 



Modxf xcat:xons wxi:hxn t:he scope of t:he xnvent:xon may be 
readxly effected by those skilled In the art. It Is to be 
understood^ therefore, that this invention Is not limited 
to the particular embodiments described by way of example 
hereinabove . 



- 51 - 



CLAIMS: 

1. A method for assessing risk within an organization, 
comprising : 

5 defining one or more zones , each of said one or 

more zones comprising an environment; 

Identifying one or more assets of said 
organization, each of said assets being located In a 
respective one of said zones; 
10 conducting a respective Impact assessment for 

each of said assets, each assessment comprising assessing 
the Impact of the loss of said respective asset; 

conducting for each of said zones a respective 
zone risk assessment, comprising assessing the risk level 
15 associated with placing a respective asset within said 
respective corresponding zone ; 

conducting for each asset a respective asset risk 
assessment, comprising assessing the risk level associated 
with said respective asset Independent of the respective 
20 zone of said respective asset; and 

assessing risk on the basis of at least said 
Impact assessment, said zone risk assessments and said 
asset risk assessments . 

25 2. A method as claimed in claim 1, Including Identifying 
one or more asset custodians, each coxnprlslng a custodian 
of a respective asset, and Identifying one or more asset 
owners, each comprising an owner of a respective one or 
more of said assets . 

30 

3 . A method as claimed In claim 2 , wherein each of said 
custodians Is an employee with care-taking 
responsibilities . 

35 4. A method as claimed In claim 1, Including xaalntalnlng 
a register of said assets. 
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5 . A me'thod as claimed xn claim 4 , wherein said register 
includes a respective owner of each of said assess . 

6 . A method as claimed in claim 1 , including maint:aining 
5 a register of said zones . 

7 . A method as claimed in claim 6 , wherein said register 
includes a respect:ive cus1:odian of each of said zones . 

10 8. A met:hod as claimed in claim 1, wherein each of said 
assess is informa'tion relat:ed. 

9 . A met^hod as claimed in claim 2 , wherein each of said 
assets is informat^ion relat:ed, and each of said asset: 

15 custodians is an informat:ion cus-todian, each comprising a 
cust:odian of a respective information st:orage device 
within said organizaliion . 

10. A method as claimed in claim 9, including defining at: 
20 least four types of custodians: 1) physical and 

environment custodians, 2) network custodians, 3) software 
engineering custodians, and 4) MIS support: cust:odians . 

11. A met:hod as claimed in claim 2, wherein each of said 
25 respective zone assessmeni:s is conducted by the respective 

custodian of said respective zone. 

12 . A method as claimed in claim 2 , wherein each of said 
respective asset: assessments is conduct:ed by "the 

30 respective owner of said respective asset:. 

13 . A method as claimed in claim 1 , including regarding 
"the loss of an asse't as equivalent: tx> the loss of a sys'tem 
of which said asset: is a par't. 

35 

14. A method as claimed in claim 1, including determining 
a measured risk for each asset, said measured risk for a 
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respec-tive asset: comprising t:he product: of 1) an impact: 
level det:ermined in said impact assessment: and 2) t:lie 
maximum of an asset: risk det:ermined in said asset: risk 
assessment: and an asse't risk det:ermined in said zone risk 
5 assessment:. 

15 . A met:hod as claimed in claim 2 , wherein none of said 
cust:odians is an owner. 

10 16. An apparat:us for assessing risk wit^hin an 

organizat:ion , comprising : 

da'ba inpu't means for input:'bing asset: informat:ion 

int:o a register of asse-bs, each of said assete being an 

asset: of said organizat:ion, each of said assents being 
15 locat:ed in a respective zone; 

data st:orage for storing said register of assets , 

including for each of said assets said respective zone; 

means for receiving or steering a respective zone 

risk assessment for each of said zones, said respective 
20 zone risk assessment comprising an assessment of the risk 

level associated with placing a respective asset within 

said respective corresponding zone ; 

means for receiving or storing a respective asset 

risk assessment for each asset, said respective asset risk 
25 assessment comprising an assessment of the risk level 

associated with said respective asset independent of the 

respective zone of said respective asset; 

means for receiving or storing a respective 

impact assessment for each of said assets, each assessment 
30 comprising assessing the impact of the loss of said 

respective asset:, and for assessing risk on the basis of 

at least said impact assessmen^t, said zone risk 

assessments and said asset risk assessments to thereby 

form a risk assessment; and 
35 output means for output:ting said risk assessment. 



17. An apparatus as claimed in claim 16, wherein said 
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apparaiius ±s operable t:o associa'te wlt^h each of said 
asse1:s an asset: cus1::od±an , each comprising a cus-bodlan of 
a respective asset, and to associate with each of said 
assets at least one asset owner, each comprising an owner 
5 of a respective one or more of said assets . 

18. An apparatus as claimed In claim 16, wherein said 
register of assets Includes a respective owner of each of 
said assets . 

10 

19. An apparatus as claimed In claim 16, wherein said 
apparatus Includes data storage for storing a register of 
said zones . 

15 20. An apparatus as claimed In claim 19, wherein said 

zone register Includes data for associating a respective 
custodian with each of said zones . 

21. An apparatus as claimed In claim 16, wherein each of 
20 said assets Is Information related. 

22. An apparatus as claimed In cladLm 16, wherein said 
apparatus Is operable to treat the loss of an asset as 
equivalent to the loss of a system of which said asset Is 

25 a part. 

23. An apparatus as claimed In claim 16, wherein said 
apparatus Is operadDle to deteimilne a measured risk for 
each asset, said measured risk for a respective asset 

30 con^rlslng the product of 1) an Impact level determined In 
said Impact assessment and 2) the maxdLmum of an asset risk 
determined In said asset risk assessment and an asset risk 
determined In said zone risk assessment. 

35 24. A risk management method, comprising: 

assessing risk according to the method of any one 
of claims 1 to 15; and 



f 
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managing said risk. 

25. A met:hod as claimed In claim 24, wherein said 
managing of said risk comprises : 

5 determining the distribution of the number of 

assets as a function of associated measured risk; 

determining a maximum acceptable risk level; and 
applying one or more controls If any of said 
assets exceeds said maximum acceptable risk level . 

0 

26. A method as claimed In claim 24, wherein said 
acceptable risk level comprises the lower of the highest 
available measured risk or 100% . 



I 
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ABSTRACT 

RISK CONTROL SYSTEM 

5 The invention provides a method for assessing risk within 
an organization, comprising: defining one or more zones 
(2) , each of the one or more zones comprising an 
environment; identifying one or more assets (4) of the 
organization, each of the assets being located in a 

10 respective one of the zones; conducting a respective 
impact assessment (6) for each of the assets, each 
assessment comprising assessing the impact of the loss of 
the respective asset; conducting for each of the zones a 
respective zone risk assessment (8a) , comprising assessing 

15 the risk level associated with placing a respective asset 
within the respective corresponding zone; and conducting 
for each asset a respective asset risk assessment (8b) , 
comprising assessing the risk level associated with the 
respective asset independent of the respective zone of the 

2 0 respective asset; and assessing risk on the basis of at 

least the impact assessment, the zone risk assessments and 
the asset risk assessments. The invention also provides a 
risk management method, comprising assessing risk 
according to the method described above and managing said 

2 5 risk. 



[Fig. 1] 



